Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Monitor Default Web Logs

/ May 10, 2018 — Security

Most web addresses are all name based on the server side. That is, netadmintools.com and associated logs are monitored and tracked in a different file than requests to the IP address. The first entry in the VirtualHost section of the httpd.conf file for Apache is where the requests without a name go.

Stick a very simple page at this address.

Don’t go putting stuff available here that could be vulnerable. As a general rule, don’t put any PHP stuff here.

Look through the logs at the default address to see what the bot armies are looking for. Here is a compromised machine that is searching for something to invade that hit one of our servers an hour ago:

7 
$ grep 1.2.3.4 access_log
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /forum/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpBB/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET / HTTP/1.1" 200 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /forums/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpbb/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /board/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /boards/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpBB2/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /msgboard/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /foros/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /portal/ HTTP/1.1" 404 1178
"-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
[qtower@main logs]$

If you see something besides 404, pay attention, as your site is being watched by a million hosts waiting for a flaw. Remember that to ease installation, some packages will install across your entire web server, so /phpBB2/ will work across all domains including the default.

Information

About